From 5526f0316c2714d30e47a90f81e0ff686a29042f Mon Sep 17 00:00:00 2001 From: Frederick Muriuki Muriithi Date: Mon, 8 May 2023 16:31:38 +0300 Subject: auth: Implement "Authorization Code Flow" Implement the "Authorization Code Flow" for the authentication of users. * gn3/auth/authentication/oauth2/grants/authorisation_code_grant.py: query and save the authorisation code. * gn3/auth/authentication/oauth2/models/authorization_code.py: Implement the `AuthorisationCode` model * gn3/auth/authentication/oauth2/models/oauth2client.py: Fix typo * gn3/auth/authentication/oauth2/server.py: Register the `AuthorisationCodeGrant` grant with the server. * gn3/auth/authentication/oauth2/views.py: Implement `/authorise` endpoint * gn3/templates/base.html: New HTML Templates of authorisation UI * gn3/templates/common-macros.html: New HTML Templates of authorisation UI * gn3/templates/oauth2/authorise-user.html: New HTML Templates of authorisation UI * main.py: Allow both "code" and "token" response types. --- .../oauth2/grants/authorisation_code_grant.py | 48 ++++++++++- .../oauth2/models/authorization_code.py | 93 ++++++++++++++++++++++ .../authentication/oauth2/models/oauth2client.py | 2 +- gn3/auth/authentication/oauth2/server.py | 11 ++- gn3/auth/authentication/oauth2/views.py | 52 +++++++++++- gn3/templates/base.html | 17 ++++ gn3/templates/common-macros.html | 7 ++ gn3/templates/oauth2/authorise-user.html | 40 ++++++++++ main.py | 7 +- 9 files changed, 263 insertions(+), 14 deletions(-) create mode 100644 gn3/auth/authentication/oauth2/models/authorization_code.py create mode 100644 gn3/templates/base.html create mode 100644 gn3/templates/common-macros.html create mode 100644 gn3/templates/oauth2/authorise-user.html diff --git a/gn3/auth/authentication/oauth2/grants/authorisation_code_grant.py b/gn3/auth/authentication/oauth2/grants/authorisation_code_grant.py index d398192..f80d02e 100644 --- a/gn3/auth/authentication/oauth2/grants/authorisation_code_grant.py +++ b/gn3/auth/authentication/oauth2/grants/authorisation_code_grant.py @@ -1,24 +1,45 @@ """Classes and function for Authorisation Code flow.""" import uuid +import string +import random from typing import Optional +from datetime import datetime from flask import current_app as app from authlib.oauth2.rfc6749 import grants +from authlib.oauth2.rfc7636 import create_s256_code_challenge from gn3.auth import db +from gn3.auth.db_utils import with_db_connection from gn3.auth.authentication.users import User +from ..models.oauth2client import OAuth2Client +from ..models.authorization_code import ( + AuthorisationCode, authorisation_code, save_authorisation_code) + class AuthorisationCodeGrant(grants.AuthorizationCodeGrant): """Implement the 'Authorisation Code' grant.""" - TOKEN_ENDPOINT_AUTH_METHODS = ["client_secret_basic", "client_secret_post"] + TOKEN_ENDPOINT_AUTH_METHODS: list[str] = [ + "client_secret_basic", "client_secret_post"] + AUTHORIZATION_CODE_LENGTH: int = 48 + TOKEN_ENDPOINT_HTTP_METHODS = ['POST'] + GRANT_TYPE = "authorization_code" + RESPONSE_TYPES = {'code'} def save_authorization_code(self, code, request): """Persist the authorisation code to database.""" - raise Exception("NOT IMPLEMENTED!", self, code, request) + client = request.client + nonce = "".join(random.sample(string.ascii_letters + string.digits, + k=self.AUTHORIZATION_CODE_LENGTH)) + return __save_authorization_code__(AuthorisationCode( + uuid.uuid4(), code, client, request.redirect_uri, request.scope, + nonce, int(datetime.now().timestamp()), + create_s256_code_challenge(app.config["SECRET_KEY"]), + "S256", request.user)) def query_authorization_code(self, code, client): """Retrieve the code from the database.""" - raise Exception("NOT IMPLEMENTED!", self, code, client) + return __query_authorization_code__(code, client) def delete_authorization_code(self, authorization_code):# pylint: disable=[no-self-use] """Delete the authorisation code.""" @@ -36,10 +57,29 @@ class AuthorisationCodeGrant(grants.AuthorizationCodeGrant): "WHERE authorisation_code.code=?") with db.connection(app.config["AUTH_DB"]) as conn: with db.cursor(conn) as cursor: - cursor.execute(query, (str(authorization_code.user_id),)) + cursor.execute(query, (str(authorization_code.code),)) res = cursor.fetchone() if res: return User( uuid.UUID(res["user_id"]), res["email"], res["name"]) return None + +def __query_authorization_code__( + code: str, client: OAuth2Client) -> AuthorisationCode: + """A helper function that creates a new database connection. + + This is found to be necessary since the `AuthorizationCodeGrant` class(es) + do not have a way to pass the database connection.""" + def __auth_code__(conn) -> str: + the_code = authorisation_code(conn, code, client) + return the_code.maybe(None, lambda cde: cde) # type: ignore[misc, arg-type, return-value] + + return with_db_connection(__auth_code__) + +def __save_authorization_code__(code: AuthorisationCode) -> AuthorisationCode: + """A helper function that creates a new database connection. + + This is found to be necessary since the `AuthorizationCodeGrant` class(es) + do not have a way to pass the database connection.""" + return with_db_connection(lambda conn: save_authorisation_code(conn, code)) diff --git a/gn3/auth/authentication/oauth2/models/authorization_code.py b/gn3/auth/authentication/oauth2/models/authorization_code.py new file mode 100644 index 0000000..f282814 --- /dev/null +++ b/gn3/auth/authentication/oauth2/models/authorization_code.py @@ -0,0 +1,93 @@ +"""Model and functions for handling the Authorisation Code""" +from uuid import UUID +from datetime import datetime +from typing import NamedTuple + +from pymonad.maybe import Just, Maybe, Nothing + +from gn3.auth import db + +from .oauth2client import OAuth2Client + +from ...users import User, user_by_id + +__5_MINUTES__ = 300 # in seconds + +class AuthorisationCode(NamedTuple): + """ + The AuthorisationCode model for the auth(entic|oris)ation system. + """ + # Instance variables + code_id: UUID + code: str + client: OAuth2Client + redirect_uri: str + scope: str + nonce: str + auth_time: int + code_challenge: str + code_challenge_method: str + user: User + + @property + def response_type(self) -> str: + """ + For authorisation code flow, the response_type type MUST always be + 'code'. + """ + return "code" + + def is_expired(self): + """Check whether the code is expired.""" + return self.auth_time + __5_MINUTES__ < datetime.now().timestamp() + + def get_redirect_uri(self): + """Get the redirect URI""" + return self.redirect_uri + + def get_scope(self): + """Return the assigned scope for this AuthorisationCode.""" + return self.scope + + def get_nonce(self): + """Get the one-time use token.""" + return self.nonce + +def authorisation_code(conn: db.DbConnection , + code: str, + client: OAuth2Client) -> Maybe[AuthorisationCode]: + """ + Retrieve the authorisation code object that corresponds to `code` and the + given OAuth2 client. + """ + with db.cursor(conn) as cursor: + query = ("SELECT * FROM authorisation_code " + "WHERE code=:code AND client_id=:client_id") + cursor.execute( + query, {"code": code, "client_id": str(client.client_id)}) + result = cursor.fetchone() + if result: + return Just(AuthorisationCode( + UUID(result["code_id"]), result["code"], client, + result["redirect_uri"], result["scope"], result["nonce"], + int(result["auth_time"]), result["code_challenge"], + result["code_challenge_method"], + user_by_id(conn, UUID(result["user_id"])))) + return Nothing + +def save_authorisation_code(conn: db.DbConnection, + auth_code: AuthorisationCode) -> AuthorisationCode: + """Persist the `auth_code` into the database.""" + with db.cursor(conn) as cursor: + cursor.execute( + "INSERT INTO authorisation_code VALUES(" + ":code_id, :code, :client_id, :redirect_uri, :scope, :nonce, " + ":auth_time, :code_challenge, :code_challenge_method, :user_id" + ")", + { + **auth_code._asdict(), + "code_id": str(auth_code.code_id), + "client_id": str(auth_code.client.client_id), + "user_id": str(auth_code.user.user_id) + }) + return auth_code diff --git a/gn3/auth/authentication/oauth2/models/oauth2client.py b/gn3/auth/authentication/oauth2/models/oauth2client.py index da5ff75..b7d37be 100644 --- a/gn3/auth/authentication/oauth2/models/oauth2client.py +++ b/gn3/auth/authentication/oauth2/models/oauth2client.py @@ -102,7 +102,7 @@ class OAuth2Client(NamedTuple): @property def response_types(self) -> Sequence[str]: """Return the response_types that this client supports.""" - return self.client_metadata.get("response_types", []) + return self.client_metadata.get("response_type", []) def check_response_type(self, response_type: str) -> bool: """Check whether this client supports `response_type`.""" diff --git a/gn3/auth/authentication/oauth2/server.py b/gn3/auth/authentication/oauth2/server.py index 73c9340..e9946b4 100644 --- a/gn3/auth/authentication/oauth2/server.py +++ b/gn3/auth/authentication/oauth2/server.py @@ -5,8 +5,7 @@ from typing import Callable from flask import Flask, current_app from authlib.integrations.flask_oauth2 import AuthorizationServer -# from authlib.integrations.sqla_oauth2 import ( -# create_save_token_func, create_query_client_func) +# from authlib.oauth2.rfc7636 import CodeChallenge from gn3.auth import db @@ -14,7 +13,7 @@ from .models.oauth2client import client from .models.oauth2token import OAuth2Token, save_token from .grants.password_grant import PasswordGrant -# from .grants.authorisation_code_grant import AuthorisationCodeGrant +from .grants.authorisation_code_grant import AuthorisationCodeGrant from .endpoints.revocation import RevocationEndpoint from .endpoints.introspection import IntrospectionEndpoint @@ -49,7 +48,11 @@ def setup_oauth2_server(app: Flask) -> None: """Set's up the oauth2 server for the flask application.""" server = AuthorizationServer() server.register_grant(PasswordGrant) - # server.register_grant(AuthorisationCodeGrant) + + # Figure out a common `code_verifier` for GN2 and GN3 and set + # server.register_grant(AuthorisationCodeGrant, [CodeChallenge(required=False)]) + # below + server.register_grant(AuthorisationCodeGrant) # register endpoints server.register_endpoint(RevocationEndpoint) diff --git a/gn3/auth/authentication/oauth2/views.py b/gn3/auth/authentication/oauth2/views.py index 3a14a48..48a97da 100644 --- a/gn3/auth/authentication/oauth2/views.py +++ b/gn3/auth/authentication/oauth2/views.py @@ -1,14 +1,28 @@ """Endpoints for the oauth2 server""" import uuid +import traceback -from flask import Response, Blueprint, current_app as app +from email_validator import validate_email, EmailNotValidError +from flask import ( + flash, + request, + url_for, + redirect, + Response, + Blueprint, + render_template, + current_app as app) +from gn3.auth import db +from gn3.auth.db_utils import with_db_connection from gn3.auth.authorisation.errors import ForbiddenAccess from .resource_server import require_oauth from .endpoints.revocation import RevocationEndpoint from .endpoints.introspection import IntrospectionEndpoint +from ..users import valid_login, NotFoundError, user_by_email + auth = Blueprint("auth", __name__) @auth.route("/register-client", methods=["GET", "POST"]) @@ -24,7 +38,41 @@ def delete_client(client_id: uuid.UUID): @auth.route("/authorise", methods=["GET", "POST"]) def authorise(): """Authorise a user""" - return "WOULD AUTHORISE THE USER." + server = app.config["OAUTH2_SERVER"] + client_id = uuid.UUID(request.args.get("client_id", str(uuid.uuid4()))) + client = server.query_client(client_id) + if not bool(client): + flash("Invalid OAuth2 client.", "alert-error") + if request.method == "GET": + client = server.query_client(request.args.get("client_id")) + return render_template( + "oauth2/authorise-user.html", + client=client, + scope=client.scope, + response_type="code") + + form = request.form + def __authorise__(conn: db.DbConnection) -> Response: + email_passwd_msg = "Email or password is invalid!" + redirect_response = redirect(url_for("oauth2.auth.authorise", + client_id=client_id)) + try: + email = validate_email(form.get("user:email")) + user = user_by_email(conn, email["email"]) + if valid_login(conn, user, form.get("user:password", "")): + return server.create_authorization_response(request=request, grant_user=user) + flash(email_passwd_msg, "alert-error") + return redirect_response # type: ignore[return-value] + except EmailNotValidError as _enve: + app.logger.debug(traceback.format_exc()) + flash(email_passwd_msg, "alert-error") + return redirect_response # type: ignore[return-value] + except NotFoundError as _nfe: + app.logger.debug(traceback.format_exc()) + flash(email_passwd_msg, "alert-error") + return redirect_response # type: ignore[return-value] + + return with_db_connection(__authorise__) @auth.route("/token", methods=["POST"]) def token(): diff --git a/gn3/templates/base.html b/gn3/templates/base.html new file mode 100644 index 0000000..c1070ed --- /dev/null +++ b/gn3/templates/base.html @@ -0,0 +1,17 @@ +{% from "common-macros.html" import flash_messages%} + + + + + + + Genenetwork 3: {%block title%}{%endblock%} + + {%block css%}{%endblock%} + + + + {%block content%}{%endblock%} + {%block js%}{%endblock%} + + diff --git a/gn3/templates/common-macros.html b/gn3/templates/common-macros.html new file mode 100644 index 0000000..1d9f302 --- /dev/null +++ b/gn3/templates/common-macros.html @@ -0,0 +1,7 @@ +{%macro flash_messages()%} +
+ {%for category,message in get_flashed_messages(with_categories=true)%} + + {%endfor%} +
+{%endmacro%} diff --git a/gn3/templates/oauth2/authorise-user.html b/gn3/templates/oauth2/authorise-user.html new file mode 100644 index 0000000..d40379f --- /dev/null +++ b/gn3/templates/oauth2/authorise-user.html @@ -0,0 +1,40 @@ +{%extends "base.html"%} + +{%block title%}Authorise User{%endblock%} + +{%block content%} +{{flash_messages()}} + +

Authenticate to the API Server

+ +
+ + +

+ You are authorising "{{client.client_metadata.client_name}}" to access + Genenetwork 3 with the following scope: +

+
+ Scope + {%for scp in scope%} + + +
+ {%endfor%} +
+ +
+ User Credentials + + +
+ + + +
+ + +
+{%endblock%} diff --git a/main.py b/main.py index 6890b33..3c4b146 100644 --- a/main.py +++ b/main.py @@ -74,10 +74,11 @@ def init_dev_clients(): "token_endpoint_auth_method": [ "client_secret_post", "client_secret_basic"], "client_type": "confidential", - "grant_types": ["password", "authorisation_code", "refresh_token"], + "grant_types": ["password", "authorization_code", "refresh_token"], "default_redirect_uri": "http://localhost:5033/oauth2/code", - "redirect_uris": ["http://localhost:5033/oauth2/code"], - "response_type": "token", # choices: ["code", "token"] + "redirect_uris": ["http://localhost:5033/oauth2/code", + "http://localhost:5033/oauth2/token"], + "response_type": ["code", "token"], "scope": ["profile", "group", "role", "resource", "register-client", "user", "migrate-data", "introspect"] }), -- cgit v1.2.3